Have you seen the movie Inception? The movie is about dreams and how dream scientists can make their way into peoples’ dreams to get things done. One of the key sequences in the film is the ability to enter the dream of the dream, as if one is asleep dreaming, and dreaming about one being asleep within the dream — the characters then incepted themselves into that nested dream.

What is Nested Virtualization in Windows Server 2016?

That sort of nested entity, a dream within a dream, is analogous to a new feature in Hyper-V in Windows Server 2016. It’s called nested virtualization, and it involves installing the Hyper-V hypervisor role on a physical host, setting up guest virtual machines on that host, and then from within the guest virtual machine, deploying the Hyper-V role in the guest and then creating guest virtual machines on the guest of the host.

Guest Prime might be a way to refer to these virtual machines. You could not do this in a functional way in Windows Server 2012 or Windows Server 2012 R2 alone. You could hack around it in a way that let you create virtual machines, so they would actually exist, but you could not switch them on and use them, which really limited the practical nature of this feature. You could, of course, install VMware and then use that as the hypervisor, and let your guests run Hyper-V for nested virtualization. But all of that has changed in Windows Server 2016, and the situation is a lot cleaner than it was.

Common Nested Virtualization in Hyper-V Scenarios

Why in the world would you want to use nested virtualization? There are a few scenarios that make sense here:

Container Support. The biggest use of this nested functionality is to support containers, which are prepackaged applications that contain workload code and configured operating systems and virtual machines to run that code. You just ship the container to your host or your datacenter and click On or Play, and it all works. The nested virtual machine approach allows full separation of workloads within a container, which may be advantageous for security or management approach, while still allowing the whole solution to be packaged up for transport as “just one virtual machine to go.”

Easier Creation of VMs. It’s easier to create and share virtual machines because you no longer need to have a one-to-one relationship between humans needing access to create virtual machines and Hyper-V physical machines. Now, people who need to create VMs can create them from within guest VMs so that you save money deploying real silicon, no more test-dev laptops and production laptops.

Quickly Fire Off VMs. In lab environments and in teaching scenarios, the ability to quickly fire off virtual machines from wherever you are will be quite useful, especially if you’re modeling deployment of complex systems and need some quick answers as to how some software behaves. For instance, you will be able to create demonstration Hyper-V clusters to verify failover functionality and test scripts and custom code that previously would have required big iron to handle.

Nested Virtualization Requirements

Unfortunately, nested virtualization is not a currently functional feature in the latest Windows Server technical preview, so we’re left to wonder what requirements and features this technology will have as Windows Server development gets further down the line.

Here are some base assumptions I have about support for nested virtualization:

I suspect nested virtualization will require Windows Server 2016 or Windows 10 in the guest virtual machines, as well as in the host. One can imagine due to licensing restrictions, you might only be able to use Windows Server 2016 in both the host, the guest, and the guest guest. This is only speculation at this point, mind you, but it is certainly possible.

I suspect you will only be able to connect nested guests – Guest Primes, that is, if I can coin a phrase – to a private network or bridge it with the physical host’s network connection. In fact the networking aspect of this whole feature will probably be somewhat thorny, so we will have to examine this when we get a functional beta build.

I suspect we will see this nested virtualization feature in conjunction with a Ship to Azure wizard which will package up a collection of VMs currently running and then just pipe them up to the Azure datacenter, registered of course against your Azure subscription.

Let me know your thoughts on this new Windows Server 2016 feature by reaching out to me on Twitter or in the article comments below. Thanks for reading!

Subscribe to Petri NewslettersOffice 365 Insider

Our Petri Office 365 Insider is dedicated to sharing detailed knowledge from top Office 365 experts. Delivered once a month to your inbox.

Petri.com may use your contact information to provide updates, offers and resources that may be of interest to you. You can unsubscribe at any time. To learn more about how we manage your data, you can read our Privacy Policy and Terms of Service.

Have you ever tried to make a configuration change on a Friday afternoon, right before beer o’clock, and you couldn’t get access to the machine you needed to change? This problem might be caused by out-of-date security settings, the a network change, or something else. All you need to do is execute a couple of lines of PowerShell, but this problem prevents you from making a simple configuration change.

What is PowerShell Direct?

PowerShell Direct promises to solve this problem for you as long as you’re living on the latest releases. PowerShell Direct lets you breach the boundary between hypervisor host and guest virtual machine in a secure way to issue PowerShell cmdlets and run scripts easily. Currently, it’s limited only to Windows 10 and Windows Server 2016 guest living on Windows 10 and Windows Server 2016 Hyper-V hosts; no currently-released operating systems support this feature, although it works in the technical previews for both future versions of the product. Also, Windows Nano Server hosts and virtual machines do not currently work with this either, although you can safely bet that that fact will change in the months to come.

The best part of PowerShell Direct is that it just works, every time, without a bunch of faffing about to get security settings configured, holes poked in firewalls, and flaky remoting set up. From a host, you can open a PowerShell session directly on the guest with just a couple of cmdlets.

First, run Get-VM to get a list of all virtual machines that are running on a Hyper-V host.

Look for the VM name, and then use the next cmdlet to begin a PowerShell Direct session:

Enter-PSSession -VMName VMName

You will be prompted to authenticate to the guest operating system using an account that it accepts, which could be either a local machine account or an Active Directory account if the guest OS is a member of a domain. After authenticating, the session you are dumped into is just like a regular remoting session over the network — you have opened a PowerShell session directly into the guest, and you’re free to do your bidding. It has to be running on the current host, and it has to be Windows 10 or Windows Server 2016, but other than that nearly every cmdlet will work and those that do not yet will eventually get fixed before RTM.

In a script, you can make use of PowerShell Direct through the Invoke-Command cmdlet, which simply accepts the name of the guest VM as a parameter, and then you can input the script you wish to run within the curly braces, like so:

This only works for guest virtual machines that are directly on the host. PowerShell Direct works in a cluster, but it can only bust through and connect to guest operating systems that are currently hosted on that node.

PowerShell Direct Benefits and Uses.

What are some scenarios where the PowerShell Direct capability is useful?

Firewalls, domain security policies, and network configurations. PowerShell Direct is great for anytime you don’t want to mess with firewalls, domain security policies, and network configurations that get in the way of connecting to your guest virtual machines. With Powershell Direct, you can basically push yourself through the barrier and communicate with the guest OS regardless of what policies are in place security wise. “Oh, is this port open?” “Oh, have I disabled the firewall?” “Oh, man, I didn’t reserve a management network interface card on this host.” All of these excuses go away with PowerShell Direct.

Correcting mistakes. You might have performed a configuration change over a regular PowerShell remoting session and inadvertently locked yourself and anyone else out of the virtual machine. With PowerShell Direct, as long as the guest operating system is booted, you can enter as a local administrator and fix the issue and restore access.

Configuring new virtual machine farms on a Hyper-V host. If you are a systems integrator or consultant, chances are you have a solution stack that you put together made up of the same hardware and software configurations, and you simply deploy it over and over again to different customers. Configuring Exchange, Remote Desktop Services, and SharePoint can only be so much fun, so you can put together PowerShell scripts to deploy each of those workloads on different virtual machines on your host, and you can simply execute them via PowerShell Direct — no messy agent or remoting required.

Status checks and state verification. Ever had a really big workload hosted as a guest virtual machine? You can use PowerShell Direct to execute simple queries to find out if a guest VM is done booting, if it is in a desired configuration, and to use desired state configuration to push or pull the correct configurations to get the guest operating system where it needs to be.

Give it a shot today in the Windows 10 and Windows Server 2016 technical preview.

Subscribe to Petri NewslettersOffice 365 Insider

Our Petri Office 365 Insider is dedicated to sharing detailed knowledge from top Office 365 experts. Delivered once a month to your inbox.

Petri.com may use your contact information to provide updates, offers and resources that may be of interest to you. You can unsubscribe at any time. To learn more about how we manage your data, you can read our Privacy Policy and Terms of Service.

In the wake of all the email security breaches we’ve had over the last few years, it’s time to enable two-factor authentication on any account that’s important to you. Thanks to various leaks, many crackers have started relying on hacking email addresses in combination with passwords to gain access to user accounts.

Luckily, Microsoft makes available two-factor authentication on all Microsoft accounts — these are the accounts used to access Outlook.com, Skype, your Windows Phone services, and more. In this article, I’ll take a look at how to enable two-factor authentication on your Microsoft account.

What is two-factor authentication?

Two-factor authentication involves two factors: The first is something you have and the second factor is something you know. To log into an account or service that has two-factor authentication enabled, you are generally prompted to enter your username and password, where the service then texts a one-time code to your mobile phone that you will enter in the next step of the login process. By enabling this protection, your account and password security are increased because any nefarious characters would also need to have access to mobile device, which is generally something that’s always in your possession.

Enabling two-factor authentication on Microsoft accounts

It is fairly easy to get set up. Sign in to your Microsoft account and click the Security & privacy link located at the top of the page. You’ll be directed to the Security settings page, where you’ll find a two-step authentication option below.

Microsoft account security settings. (Image Credit: Blair Greenwood)

Under the two-step authentication option, click Set up two-step verification.

Next, Microsoft will prompt you to select the platform your smartphone operates on. If you’re not interested in the authenticator app or you don’t own a smartphone, you can click Set it up later. You may want to consider using the authenticator app opposed to voice calls or SMS text messages because the app acts similar to RSA SecurID tokens that presents a one-time password code that the app will accept. As a result, the app doesn’t need a network connection to get a code sent by the service because the algorithm matches up the codes in a preconfigured way.

Set up an identify verification app. (Image Credit: Blair Greenwood)

The service generally uses the Google authenticator app, which you can pair with your Microsoft account by scanning a QR code.

Next, you can choose how to verify your identity outside of the authenticator app. You can have voice calls or text messages sent to the number already included in your profile. You need to verify your identity once through the service, and after you do that and enter the code properly, you will receive a recovery code, which looks a lot like a regular product license key. Save this in a safe place so that you can use it to restore access to your account if you ever get locked out for some reason.

Next, the wizard will prompt you to set up an app password for your Android, iPhone, or Blackberry smartphone. If it senses that you have synced a Windows Phone 7 or 8 device to your Microsoft account, it will give you directions on replacing your current password with the newly generated app password. You can come back to this section later if you need to look at it again, which you probably will need to do with your Xbox, Outlook desktop application, Office, Windows Essentials, or (and heaven help you if you use this) the Zune desktop app will all need new app passwords. Click Next to finish the process.

Generating App Passwords

To get new app passwords for programs that do not support the use of one-time codes, navigate to the App Passwords option, located in the Security & privacy tab, which is the same tab that we used to find the two-step verification option. Click Create a new app password, where the service will automatically generate a password for you. Write this down, and follow the instructions to use it in the app. If you’ve already set up app passwords, you can also click the Remove existing passwords option, too.

Update Your Security Best Practices Now

Using passwords as your sole security measure is so 2004. Enable two-step verification on your Microsoft accounts today so that you can be worry free when the next massive security leak hits.

Subscribe to Petri NewslettersOffice 365 Insider

Our Petri Office 365 Insider is dedicated to sharing detailed knowledge from top Office 365 experts. Delivered once a month to your inbox.

Petri.com may use your contact information to provide updates, offers and resources that may be of interest to you. You can unsubscribe at any time. To learn more about how we manage your data, you can read our Privacy Policy and Terms of Service.

Jonathan Hassell gives us a first look at the preconfigured Microsoft Cloud Platform System, which combines hardware, storage and networking provided by Dell and a software stack provided by Microsoft.

You might be familiar with the recent trend in converged infrastructure, where software and hardware are teamed up in a custom, generally available bundle. Oracle is famous for its Exadata kit which combines a rack of compute hardware and networking with a specially tuned release of its database software and sells it for hundreds of thousands of dollars.

Microsoft is jumping into this game with the Microsoft Cloud Platform System Powered by Dell. It is a preconfigured appliance that combines engineered hardware, storage, and networking provided by and engineered by Dell, with Windows Server and other software from Microsoft and others, in a defined configuration that is backed up by a high level of support with a single point of contact.

The Microsoft Cloud Platform System runs on Windows Server, System Center, and Windows Azure Pack on top of Dell hardware. (Image: Microsoft)

According to Microsoft, the idea behind the Cloud Platform System (CPS) is to have a common experience among multiple clouds, whether it is up in Microsoft Azure, a service provider cloud, or an on premises private cloud. By purchasing this CPS solution, you receive an Azure-consistent cloud in a box, using the same software that Microsoft runs its public cloud service with. As far as support goes, Microsoft can provide very prescriptive guidance about deploying typical workloads like Exchange, SQL Server, System Center, SharePoint, and even Linux on this hardware because it knows exactly what components are in play and precisely how to tweak every last ounce of performance out of this known configuration.

The Microsoft Cloud Platform System Explained

What is the CPS made of? The hardware is Dell PowerEdge servers, Dell storage, and Dell networking gear. Sold in increments of one rack a piece up to four coordinating racks, each CPS has 512 processing cores, eight terabytes of RAM, 262 TB of storage available for us (more is included to cover the overhead of the system), connectivity within the appliance of 160 GB/s and outside the CPS of 60 GB/s, all within a standard 42U rack. All of this is accomplished through 32 Dell PowerEdge C6220ii hosts for Hyper-V, four Dell PowerEdge R620v2 servers for storage and file services, and four Dell PowerVault MD3060e JBODs for the raw disks.

The software is Windows Server 2012 R2, System Center 2012 R2, and the Windows Azure Pack. This is the exact same code that powers Azure, Hyper-V—there is no “special sauce” from this software. The unique value proposition in the CPS lies in the integrated and validated testing Microsoft performed and the configurations and deployment that let the company stand behind the SLA they developed, all of which integrates the compounded wisdom from running these software packages at scale in Azure, something the company has deemed in the past its “virtuous cycle.”

Microsoft touts the fact that the Cloud Platform System runs on the familiar Windows Server application stack. (Image: Microsoft)

Windows Azure Pack is at the top of the stack and provides an administrative portal and a tenant portal, both of which are the same technologies that actually power the Azure public cloud. Customers can serve themselves using prepackaged solution offerings that administrators can configure.

What does all of this buy you? A single rack deployed in a common configuration will support 8000 VMs running two virtual CPUs and 1.75 GB of RAM a piece, and 7/10 of a petabyte of usable storage for tenants. There’s a lot of power here.

Microsoft Cloud Platform System Features: A Deep Dive

There are several advantages to going the appliance route to the cloud:

It is certainly the quickest way to get the necessary configuration to deploy a private cloud. For a princely sum, you get a cloud delivered to you on a forklift. You plug it in and start playing, since Microsoft and Dell have done all of the dirty work around component selection, installation, and testing for you.

The appliance is generally redundant in many ways, making for a highly available solution. In this case, you can lose one instance of something (power, networking, or another components) within the CPS without the whole kit going down.

Make it easier to support without having a cycle of finding bugs in the operating system, drivers, hardware, log collections and more, and then lathering, rinsing, and repeating. Since the configuration of the appliance is known, engineers at support can get right to work diagnosing an issue, because component interplay is by definition ruled out. Customers of the CPS can call a single point of contact at Microsoft that will take the lead in any support problem, regardless of whether it is compute or software related.

There are other, more intangible benefits as well. For instance, one is the predictability of the supply chain. Microsoft knows from running so many systems that hard drives that are higher up in the chassis furthest away from the cooling system fail more predictably often than other drives positioned differently. The company only knows this because it operates at such scale that it can see these trends over thousands of systems. That knowledge and wisdom is baked into the CPS.

Packing more performance (and infrastructure) into self-contained units running on standard hardware is a key feature of the Cloud Platform System. (Image: Microsoft)

Additionally, with CPS comes the ability to perform orchestrated updates. CPS was designed in such a way that updates can be applied to the entire stack such that the customer SLA is maintained and the tenant workloads never go down regardless of how or when the update is applied. As it was described to me in the pre-release briefing last week, “you never know when Google is patched,” and this system is designed for that seamless operation as well.

The Microsoft Cloud Platform System will be sold and supported by Dell. (Image: Microsoft)

Thirdly, the CPS will provide a series of validated workloads or known good configurations with tweaks, customizations, and modified deployments that result in the best performance possible out of popular applications on the appliance. Customers can take Microsoft applications and deploy them in a totally supported way because everything about the boxes on which the software is deployed is known, right down to the patching level. When customers deploy Exchange, SQL, and others, there is directly applicable guidance and support. Microsoft confirmed that they support Linux running on CPS as well.

The solution is available for order starting today, and while Microsoft would not comment on price, similar converged hardware solutions from Microsoft and other companies for other purposes run well into the six figures, so expect the same here. An interesting solution indeed for companies with deep pockets that want a cloud in a box rather than piecing one together over several months.

Subscribe to Petri NewslettersOffice 365 Insider

Our Petri Office 365 Insider is dedicated to sharing detailed knowledge from top Office 365 experts. Delivered once a month to your inbox.

Petri.com may use your contact information to provide updates, offers and resources that may be of interest to you. You can unsubscribe at any time. To learn more about how we manage your data, you can read our Privacy Policy and Terms of Service.

In the wake of approximately five million Gmail account passwords and email addresses being leaked by Russian ne’er-do-wells, it is time to enable two factor authentication on any account that is important to you. (While Google does not seem to have been at fault for this leak, many users use the same password in multiple places, and coupled with the address leak, crackers have started trying each address in combination with some passwords to attempt to gain access.) Since a vast swath of the Internet public uses Gmail, Google has seen fit to enable two factor authentication for their online properties. In this article, I will show you how to set up the protection and use it.

A quick refresher on exactly what two factor authentication is—it involves something you have (the first factor) and something you know (the second factor). To log into an account or a service for which you have enabled two factor authentication, you are generally prompted to enter your username and password, after which the service or account texts you or otherwise sends to a phone you enroll a one-time code that you will enter in the next step of the login process. By enabling this protection, the leaking of your password or some other compromise of its integrity does not threaten your account, because any nefarious characters would also need to have access to your enrolled phone, which is generally something that is always in your possession. Something you have and something you know.

Editor’s Note: A website has been created for Gmail owners to quickly find out if their Google account was part of the aforementioned leak of 5 million user account details. Check to see if your account is on the list by visiting the “Is my email leaked?” website.

Setting Up Google 2-Step Verification

Google calls this method of authentication “2-step verification,” and it is not difficult to get it set up.

3. In the first step you enroll the phone—preferably a mobile phone or smartphone, but it could be a landline if that is all you have consistently available—to which Google will send the one time password tokens. Enter your phone number in the box, and then choose a voice call from an automated robot or a simple SMS text message.

Note:Do NOT use your Google Voice number, as Very Bad Things will happen.

4. In the second step you confirm the code that was sent to the phone you entered in step 1.

Verifying your phone verification code. (Image: Jonathan Hassell)

5. In step 3, you can choose to trust the computer you are using to enroll two step verification. If this is your main PC, you can save some time. I would recommend not enabling the cookie on laptops or mobile devices, as if those get lost somewhere, and you have saved your regular password, two step verification becomes completely ineffective on that device.

Subscribe to Petri NewslettersOffice 365 Insider

Our Petri Office 365 Insider is dedicated to sharing detailed knowledge from top Office 365 experts. Delivered once a month to your inbox.

Petri.com may use your contact information to provide updates, offers and resources that may be of interest to you. You can unsubscribe at any time. To learn more about how we manage your data, you can read our Privacy Policy and Terms of Service.

6. In step 4, which is the final step, you confirm you want to enable your Google account in this whole deal. I am not sure how many people go through all four steps and then choose not to enable, but I suppose that is what they mean when they say, “don’t be evil.” Click the blue confirmation button, and then you are all set and protected.

Turning on 2-factor authentication. (Image: Jonathan Hassell)

Once you have enabled 2 step verification sign in to your Google account and perform the following steps:

Enter your username and password on the sign in page.

Google will then send a code via SMS text, a voice telephone call, or the Google smartphone app, which is available for iOS and Android devices.

You will enter this code on the next page to verify that you are who you say you are.

Application Specific Passwords

Some applications will stop working once you enable two step verification, including iPad and iPhone Gmail access and some chat programs. For these applications, Google can generate an application specific password that can be used that turns off the multi-factor authentication for just that app. To turn that feature on, head to https://security.google.com/settings/security/apppasswords?pli=1.
From the drop down lists, simply choose the application you need and the device you want to use that application on, and the password will be generated for you.

Printing Backup Codes

Imagine a scenario where you are unable to receive voice calls or text messages, but you still need access to your Gmail account. (Hypothetically, this may or may not have happened to me as I tried to write this piece on an airplane at 30,000 feet.)

For just this reason, Google has created backup codes, which are codes that are generated in advance that you can print out or write down to keep with you in the event you need to sign it but cannot access a fresh one time password.

Alongside its platform and infrastructure as a service offerings (IaaS), Microsoft Azure comes replete with custom networking tools that make it simple to set up a virtual network and cross-boundary connections between the Microsoft datacenter and you. In this article, I’ll show you how to setup a Microsoft Azure virtual network and talk about the new Azure point-to-site and site-to-site VPN.

Microsoft Azure Virtual Networks

Virtual networks are just that—a virtual, logical path that you can configure within your Microsoft Azure account that runs on top of the physical network in Microsoft’s data centers.

Virtual networks run IP only. IP address assignment is handled by DHCP, where static IPs are not supported. You would want to create an Azure virtual network for three main reasons:

Customizing the IP numbering scheme used instead of accepting the default IP numbering from Microsoft, which is useful if you have an overall address corpus and want to use IP address management tools.

Segregating services among virtual machines that run different tiers of a service, such as web and middle tiers.

Enable virtual private networks between either a single computer on your own network or your entire on-premises network, and the Microsoft Azure data center network.

4. On the Virtual Network Details page, enter a friendly name and the service region where this virtual network should be established. Click Next.

5. On the DNS Servers and VPN Connectivity screen, enter the information for any virtual machine that will be hosted on this virtual network. This is essentially like filling out a DHCP scope with options. You can leave it blank, and Azure will handle DNS, but if you want to create VPNs, then you should enter the IPv4 addresses of your on-premises DNS servers. You can also click the check boxes to configure either point to site or site-to-site VPNs. More on those later, so click Next.

6. The Virtual Network Address Spaces page appears. This is where you determine the IP numbering scheme you will use. You can use any of the private spaces you like. By default, Azure will give you 10.0.0.0/8 and automatically will build in a 10.0.0./11 subnet for future use. Click Next.

7. You’re done. Now you can create virtual machines as you see fit and assign them to this virtual network.

Subscribe to Petri NewslettersOffice 365 Insider

Our Petri Office 365 Insider is dedicated to sharing detailed knowledge from top Office 365 experts. Delivered once a month to your inbox.

Petri.com may use your contact information to provide updates, offers and resources that may be of interest to you. You can unsubscribe at any time. To learn more about how we manage your data, you can read our Privacy Policy and Terms of Service.

Tip: Be careful! It is very difficult and in most cases impossible to change properties of virtual networks and to reassign virtual machines attached to one virtual network to another virtual network. Additionally, you have to create virtual networks prior to spinning up new virtual machines. This is because you cannot attach an existing virtual machine to a new network. So plan diligently and double-check your setup before committing. Otherwise you may have to start over if you make a mistake.

Microsoft Azure Point-to-Site VPN

About a year or so ago, Microsoft introduced point-to-site VPN connectivity to Microsoft Azure, which essentially means individual computers can create VPN connections directly into the Microsoft Azure data center. The computer can then access virtual machines, databases, websites and other resources as if they were on the network local to the individual computer.

Why would you want to use a point-to-site VPN? If you are a developer or an IT pro that is looking to build out a lab environment or a testing virtual machine within Microsoft Azure, then you can use the point-to-site VPN to have a single network that frees you from worrying about addressing problems, DNS and other issues that crop up when moving a solution that’s hosted on one network to another.

It is also a cinch to set up: You can simply download a connectoid packet right from the Microsoft Azure management portal and double click on it to create the connection, which is secure by default.

The VPN client included in the box with Windows 7 and 8 works just fine, and no other configuration or hardware devices are needed to create the VPN connection. It is a quick and dirty method to get connection from, say, one PC you are using on your desk to a virtual machine that is hosted up in Microsoft Azure.

To do point-to-site VPNs correctly, follow the steps in the first section of this article. However in step 5, click the point-to-site VPN checkbox. Next, the Point-to-Site Connectivity screen appears. You can configure the address space that the VPN will use. Azure automatically adds a 10.0.0.0/24 space, which gives you 254 potential addresses for your on-premises endpoint to use. Click Next, and follow the rest of the wizard as it appears.

Microsoft Azure Site-to-Site VPN

A site to site VPN in Microsoft Azure lets you set up one network that connects your on-premises network with a virtual network within Microsoft Azure. It uses the public Internet as the transport medium in between the two locations. Once you have set up a site-to-site VPN, you can host virtual machines in the cloud numbered in the same scheme connected to the same network as your on-premises servers.

You can host a domain controller in Azure to provide fault tolerance, and you can export and import VMs to your heart’s content. This essentially makes Azure a large extension to your existing datacenter that you control.
Setting these up takes some doing, so we will cover site to site VPN configuration in an upcoming Petri IT Knowledgebase article.

]]>One of the big concerns many organizations and IT professionals have about moving to the cloud, especially for business critical workloads like e-mail and calendaring, is that you have to trust someone else with your data. You have to have faith in your provider that they will maintain their systems properly, assure uptime, not let anyone access or remove your data without your explicit consent, and generally keep your data safe and secure. Various cloud providers have different levels of commitment to security and also different levels of transparency when it comes to sharing with customers what those providers are doing to fulfill those commitments.

At TechEd 2014, Microsoft’s Julia White, a general manager in the Office 365 division, announced the Office 365 Trust Center, a single place where the company reveals its efforts to keep individual organizations’ tenant data secure from both Internet based threats and also from governmental agencies and third parties that attempt to force Microsoft to turn over your data from a compliance perspective.

The Four Pillars of Office 365 Trust

The Office 365 Trust Center stakes the service’s reputation on four pillars:

Office 365 Security

Microsoft considers Office 365 security in four different ways: The security of the physical datacenters where the servers are housed; logical security, for restricting administrator rights and maintenance processes as well as application whitelisting on the servers themselves to prevent malicious code from running; data security, which involves encrypting data both when it is in transit to Office 365 and when it is at rest within the datacenters as well as monitoring threats and electronic intrusions and preventing attacks; and administrator and user controls for customers, encompassing rights management, the ability to send encrypted e-mail, and data loss prevention features that prevent your employees and users from leaking information in e-mail and attachments.

Takeaway: It is probably fair to say that Microsoft engineers and facilities can carry out this responsibility at least as well as you and your IT department can, given the vast amount of resources the company has.

Office 365 Privacy

The privacy space is where most reasonably objections to moving to the cloud come in. As the ability for governments to intercept and monitor traffic and data both in transit and at rest comes to the center stage after the Edward Snowden / National Security Agency leaks, the question on many minds is if cloud providers will stand up to law enforcement and intelligence agencies that attempt to gain access to customer data by asking the cloud provider, and not the business, for the keys to the kingdom. The only statement the Trust Center explicitly makes in writing regarding this phenomenon is an infirm one, if optimistic: “If a government approaches us for access to customer data, we encourage the inquiry to be made directly with you, the customer and will challenge attempts to prohibit disclosure in court.”

The other point being made in this section is that your data is never used for advertising or data mining purposes nor is it sold to outside parties, unlike you might expect from Google Apps.

Takeaway: The Trust Center will not assuage your concerns if you are worried about the government interfering with your data, even if Microsoft only fulfills the role of data custodian and processor. Microsoft makes no commitment to resist if the FBI shows up with a search warrant and demands the data from your tenant, or even the servers on which your tenant runs in the event that your tenant neighbor, not you, is under investigation. No assurances here.

Office 365 Compliance

Exchange 2010 introduced several litigation related features like eDiscovery and hold and those features carried over into Exchange 2013, the basis of the Exchange Online and Office 365 service. Microsoft reveals that the Office 365 service meets HIPAA BAA, ISO 27001, FISMA, and EU model clauses and is independently verified by a third party auditor. Microsoft also has a team evaluating regulatory standards in major markets around the world and how those standards are evolving, and that team makes design decisions for new controls based on those regulations that will eventually be integrated into the service (and, you would expect, to the on premises versions of the applicable software—eventually).

Takeaway: If you are already invested in Microsoft Exchange, you don’t lose any features when it comes to compliance, but you don’t gain any, either. If you’re moving from a competing e-mail solution, Office 365 delivers the compliance goods.

Office 365 Transparency

In this pillar, Microsoft reveals that they will always let you know in what geographic region your data lives so that you can stay on top of regulatory data storage requirements, and they have all the usual support channels available as well as a commitment to 99.9% uptime (which, to their credit, they have exceeded in the last seven calendar quarters).

Takeaway: the service is widely available and about as reliable as you will get. This is not news to anyone, although publishing the uptime statistics publicly and exactly may be new.

I am not sure the Office 365 Trust Center is going to change many minds about the cloud and its suitability for any particular implementation. While the whitepapers and videos that go into the behind-the-scenes detail of the service are interesting from the standpoint of seeing faces and imagery, there is not a lot new revealed in the Trust Center materials that really stand out for business decision makers and IT professionals that are not already sold on Office 365.

I’d like to see Microsoft take a position on the following issues:

Subscribe to Petri NewslettersOffice 365 Insider

Our Petri Office 365 Insider is dedicated to sharing detailed knowledge from top Office 365 experts. Delivered once a month to your inbox.

Petri.com may use your contact information to provide updates, offers and resources that may be of interest to you. You can unsubscribe at any time. To learn more about how we manage your data, you can read our Privacy Policy and Terms of Service.

A firm commitment to not offer governments access to data unless you, the tenant and the owner of the data, are informed that data has been made available. No more secret subpoenas or “encouraging” law enforcement to let you know.

A timeframe for how the service will evolve with new features and updates—a standardized schedule and a better way administrators could trust that their end user experiences would not change.

Data encryption to be on by default and turned off only through a series of dire-sounding warnings.

What would you like to see from Office 365 and the Office 365 Trust Center?

You may have heard a lot about Microsoft Azure, which was (until recently) formally known as Windows Azure. But you might not know exactly how the Azure service can fit into your plans. Microsoft Azure has come a long way from its initial introduction in the fall of 2008 and really has something for most businesses and organizations. Microsoft Azure can effectively function as:

A complete datacenter for microbusinesses and small business

A disaster recovery solution for organizations of all sizes

A scalable way to host web sites outside of your existing infrastructure

A way to run lab and test scenarios using virtual machines nearly identical to the ones you can create in your office

If you’re new to Azure, it can be difficult to know where to begin. The idea behind this new series of articles is to take you, as someone brand new to Microsoft Azure, through the options and show you exactly how you can get set up and running, and how you can enable some of the cooler scenarios that Azure makes possible.

What Can You Set Up in Microsoft Azure?

Once you have established your Microsoft Azure account you can set up the following:

Websites, which are basically managed Internet Information Services (IIS) accounts that run specific web applications in either free mode, which operates at no cost to you but has significant limitations on capacity, or paid mode, which assigns specific resources at a cost.

Virtual machines, which we’ll talk about in the next section.

SQL databases, which can be used by websites or other cloud services.

Storage, including virtual hard disks of any size, depending on what kind of budget you have.

Media services like streaming audio and video, with probably better availability metrics than you would be able to achieve on your own.

Visual Studio Online, which is essential hosted source code control for your development teams based on the well regarded Team Foundation Service.

The console (shown below in Figure 1) is easy to use and shows all of these options in the left menu area.

Set Up a Virtual Machine

One of the best ways to use Microsoft Azure is as a test bed. In just a few clicks, you can spin up any number of virtual machines, customize their networking, and use them just as if you unboxed physical hardware and plugged it into your local switch. It’s great for testing scenarios, getting to know new software, working on certification exercises, and more. Let’s look at how to get started creating virtual machines.

On the manage.windowsazure.com control panel, click Virtual Machines.

In the middle pane, click the Create a Virtual Machine link.

The UI experience will bring up a gray box in four columns, as shown below in Figure 2. You can choose Quick create, which lets you input all of the options needed to spin up a VM on one screen to get you started as quickly as possible. Or you can choose the From Gallery option, which lets you browse a library of virtual machine options with all manner of operating systems including Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, various flavors of Linux, Oracle, and prebuilt application suites like SharePoint, BizTalk, and Dynamics NAV, and GP. For the purposes of our example, we’ll just set up a quick Windows Server 2012 R2 virtual machine using the Quick Create option.

In the rightmost column, enter the following:

– The name for the virtual machine (between 3 and 15 characters, and no funky symbols as it is a DNS name)
– The base OS image to use. If you’re in doubt, for now create a Windows Server 2012 R2 machine to check things out.
– The size, which is basically how many processor cores your VM will use and how much RAM will be dedicated to the machine. More cores and more memory costs money, of course.
– The administrator’s username and password
– Which datacenter this virtual machine should run in. Pick the closes one to your current location.
– Click Create Virtual Machine.

At that point, the console will redirect you to the Virtual Machines page, and you will see the provisioning process take place under the status column, which you will see in Figure 3. After five minutes or so, your machine should have a green check mark and the text “Running” listed, which means it is ready to go. Congratulations, you have an instance of Windows Server running in the cloud.

Provisioning a new virtual machine

Virtual machines are accessible from the Internet using a *.cloudapp.net address, where the asterisk is the name of the virtual machine you entered during setup. You do need to enable Remote Desktop in order to get an RDP session going to your new virtual machine, which we will cover in the next section.

Use Remote Desktop to Administer Azure Virtual Machine

As you might suspect, to manage virtual machines in Microsoft Azure, you use Remote Desktop Protocol. Advantages? The client is built directly into Windows, so there is no need to download any additional software. Disadvantages? Not many, unless you’re on a Linux or Mac machine, where the clients are less full featured.

To log in via remote desktop, go over to the Virtual Machines page, click on the virtual machine you want, and then on the bottom control panel, click Connect. Your browser will prompt you whether to open or save an RDP file with the name of your virtual machine, as shown in Figure 4. Save this to your desktop or other location.

Then, open up the RDP file which will launch the Remote Desktop Connection client. Accept the security warning (this is simply because the certificate being presented by your new virtual machine is not trusted by your current machine), enter the username and password you configured when creating the machine, and then you are in.

Downloading the RDP file from the management console.

In my next post, I’ll show you how to make your Azure virtual machines a natural extension of your own on-premises network.

Subscribe to Petri NewslettersOffice 365 Insider

Our Petri Office 365 Insider is dedicated to sharing detailed knowledge from top Office 365 experts. Delivered once a month to your inbox.

Petri.com may use your contact information to provide updates, offers and resources that may be of interest to you. You can unsubscribe at any time. To learn more about how we manage your data, you can read our Privacy Policy and Terms of Service.

]]>The Internet was hardly stunned by Microsoft’s announcement on December 17, 2013, that it was killing off one of the last remnants of its Forefront product line: Forefront Unified Access Gateway (UAG).

UAG’s sister product, Forefront Threat Management Gateway (or as many know it, ISA Server), was already put out to pasture in 2012, but the silence around the future roadmap for UAG made many uneasy, particularly as UAG used a base install of Threat Management Gateway to secure itself.

Forefront Unified Access Gateway (UAG): What Happened?

In a way, UAG was always a time-bound product. It came to Microsoft as the result of the acquisition of Whale Communications in 2006, serving a purpose that was appropriate at the time: to provide fat clients access to internal services from remote locations. Throughout, Microsoft had been billing UAG as a great product to use as a reverse proxy, publishing internal services out to beyond the edge of the network in a secure, inspected way. With a huge service pack after its release, UAG also served to provide a much-needed shortcut in the Windows Server 2008 R2 era to get the DirectAccess remote access and management solution working without tying yourself in knots. For those companies not interested in deploying DirectAccess, it also made a capable SSL VPN solution for secure work on the go.

Nowadays, however, people need more than fat client solutions. Tablets are everywhere. Devices are personally owned. And most organizations are interested in exposing and publishing services as opposed to working on virtual desktops and VPNs (and there are still great solutions available for both of those latter scenarios). Microsoft didn’t see much use for a standalone UAG product going into the future, so it was canned among its transition to a devices and services company.

4 Forefront UAG Alternatives

That is not much solace to UAG’s installed base. If you are one of those folks, it falls to you to find a replacement solution. Here are four options that may work for your organization.

The in-the-box solution: This one just might give you one more excuse to get some Windows Server 2012 R2 licenses. In Microsoft’s newest operating system, the Remote Access role includes a feature called Web Application Proxy that replicates about 65 percent of the technology that Forefront UAG put into place. The reverse proxy feature built into the OS securely publishes internal resources out to the Internet and most deployments of, say, Work Folders or workplace join—key work anywhere features Microsoft put into Windows Server 2012 R2—demand a reverse proxy of some sort. If your publishing needs are fairly simple, then UAG might have been overkill and the Web Application Proxy feature may fill that role just fine. Luckily, it is easy to stand this up in a lab and experiment with it, as all you need on the software front is your OS disc.

The existing free solution: In many cases a module for IIS called Application Request Routing, or ARR, can perform reverse proxy services. ARR is a fast, well-written module that can act as a reverse proxy for a variety of situations. In fact it is the recommended solution for publishing internal services, such as an on premises Exchange Server or a Lync Server deployment, in a Windows Server 2012 Essentials or Windows Server 2012 R2 Essentials network. This lets the Outlook Autodiscover and RPC over HTTP features (sometimes known as Outlook Anywhere) work over a box with a single public IP address. ARR plugs right into IIS and goes right back to Windows Server 2008, so if you are not ready to deploy the latest and greatest OS, ARR may well provide a simple reverse proxy function that meets your needs.

Third-party reverse proxy solutions:Many popular third-party solutions exist to fill the roles reverse proxies execute for networks—to screen inbound user requests for sensitive services, protect weak internal resources while still allowing them to service users beyond the network boundary, and apply validation and policy while an inbound session is active. Some popular alternatives include the following software:

Blue Coat ProxySG Web Application Reverse Proxy

F5 Networks BIG-IP Reverse Proxy

You might, however, be spending big bucks for these solutions.

Cobble together an open-source solution: Apache, the open source HTTP web server software, has long support reverse proxies through the mod_proxy module and this has traditionally been used for load balancing purposes and to publish content using an intelligent content delivery network, or CDN. You could potentially use Apache and mod_proxy to cobble something together, but I would recommend ARR or the Web Application Proxy as first resorts for best compatibility and results.

The good news for UAG users in all of this? You will be supported through April 14, 2015, with standard patches and telephone support, and the product enters extended support after that until April 14, 2020 – more than six years from the time of this writing. So the barn is not burning down immediately, but a replacement for UAG should be on your medium term search list.

Subscribe to Petri NewslettersOffice 365 Insider

Our Petri Office 365 Insider is dedicated to sharing detailed knowledge from top Office 365 experts. Delivered once a month to your inbox.

Petri.com may use your contact information to provide updates, offers and resources that may be of interest to you. You can unsubscribe at any time. To learn more about how we manage your data, you can read our Privacy Policy and Terms of Service.